<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>passwordcheck</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 9.1.2 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Additional Supplied Modules"
HREF="contrib.html"><LINK
REL="PREVIOUS"
TITLE="pageinspect"
HREF="pageinspect.html"><LINK
REL="NEXT"
TITLE="pg_archivecleanup"
HREF="pgarchivecleanup.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2011-12-01T22:07:59"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="5"
ALIGN="center"
VALIGN="bottom"
><A
HREF="index.html"
>PostgreSQL 9.1.2 Documentation</A
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
TITLE="pageinspect"
HREF="pageinspect.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="contrib.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Appendix F. Additional Supplied Modules</TD
><TD
WIDTH="20%"
ALIGN="right"
VALIGN="top"
><A
TITLE="pg_archivecleanup"
HREF="pgarchivecleanup.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="PASSWORDCHECK"
>F.24. passwordcheck</A
></H1
><P
>  The <TT
CLASS="FILENAME"
>passwordcheck</TT
> module checks users' passwords
  whenever they are set with
  <A
HREF="sql-createrole.html"
>CREATE ROLE</A
> or
  <A
HREF="sql-alterrole.html"
>ALTER ROLE</A
>.
  If a password is considered too weak, it will be rejected and
  the command will terminate with an error.
 </P
><P
>  To enable this module, add <TT
CLASS="LITERAL"
>'$libdir/passwordcheck'</TT
>
  to <A
HREF="runtime-config-resource.html#GUC-SHARED-PRELOAD-LIBRARIES"
>shared_preload_libraries</A
> in
  <TT
CLASS="FILENAME"
>postgresql.conf</TT
>, then restart the server.
 </P
><P
>  You can adapt this module to your needs by changing the source code.
  For example, you can use
  <A
HREF="http://sourceforge.net/projects/cracklib/"
TARGET="_top"
>CrackLib</A
>
  to check passwords &mdash; this only requires uncommenting
  two lines in the <TT
CLASS="FILENAME"
>Makefile</TT
> and rebuilding the
  module.  (We cannot include <SPAN
CLASS="PRODUCTNAME"
>CrackLib</SPAN
>
  by default for license reasons.)
  Without <SPAN
CLASS="PRODUCTNAME"
>CrackLib</SPAN
>, the module enforces a few
  simple rules for password strength, which you can modify or extend
  as you see fit.
 </P
><DIV
CLASS="CAUTION"
><P
></P
><TABLE
CLASS="CAUTION"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Caution</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>   To prevent unencrypted passwords from being sent across the network,
   written to the server log or otherwise stolen by a database administrator,
   <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> allows the user to supply
   pre-encrypted passwords. Many client programs make use of this
   functionality and encrypt the password before sending it to the server.
  </P
><P
>   This limits the usefulness of the <TT
CLASS="FILENAME"
>passwordcheck</TT
>
   module, because in that case it can only try to guess the password.
   For this reason, <TT
CLASS="FILENAME"
>passwordcheck</TT
> is not
   recommendable if your security requirements are high.
   It is more secure to use an external authentication method such as Kerberos
   (see <A
HREF="client-authentication.html"
>Chapter 19</A
>) than to rely on
   passwords within the database.
  </P
><P
>   Alternatively, you could modify <TT
CLASS="FILENAME"
>passwordcheck</TT
>
   to reject pre-encrypted passwords, but forcing users to set their
   passwords in clear text carries its own security risks.
  </P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="pageinspect.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="pgarchivecleanup.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>pageinspect</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="contrib.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>pg_archivecleanup</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>